History command line to graylog

hello, im new here
i have been search for a solution for send the linux servers history command line logs to the graylog server, but i can’t find anything for this… can you help me ?

Sounds like you need to log all commands to syslog, then connect that syslog to a Graylog input. Maybe check this out: https://www.baeldung.com/linux/log-all-user-commands

I have not tried it, just the first thing that came up.

There should be a ton of examples of connecting linux syslog to a Graylog input in the GL docs and on this forum.

i found an easy way to do it without filebeat or auditbeat…

at the end of /etc/profile file i add this function

function log2syslog
{
From=“/usr/bin/who am i | awk '{ print $1 }'
declare COMMAND
COMMAND=$(fc -ln -0)
logger -p local1.notice -t bash -i – “${From}:${USER}:${COMMAND}”
}
trap log2syslog DEBUG

variables $From and $USER are for users who change with sudo to other users, with this i can capture both users

then in the /etc/rsyslog.conf file add this line

*.* @<graylog-server>:514;RSYSLOG_SyslogProtocol23Format

you can modify this last line with the facilities you want to capture :slight_smile:

thanks !!

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.